adapted the latest CSP security patch to include the gitcdn URL to query

for newer firmware devices for RaspberryMatic. Also added "X-WebKit-CSP" response header to serve older webbrowsers as well. In addition, neither lighttpd nor ReGa will now output any "Server:" response header anymore to prevents detailed analyses on the web server type. This refs #597.
jens-maus · Apr 10, 2019 · fd5c89a · fd5c89a
1 parent 2caee8c
commit fd5c89a
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 5 deletions.
diff --git a/buildroot-external/overlay/base/etc/lighttpd/conf.d/setenv.conf b/buildroot-external/overlay/base/etc/lighttpd/conf.d/setenv.conf
@@ -1,10 +1,11 @@
 setenv.set-response-header = (
-  "Server" => "Server"
+  "Server" => ""
 )
 
 setenv.add-response-header = (
-  "Content-Security-Policy" => "default-src 'self';frame-ancestors 'self';script-src 'unsafe-inline' 'unsafe-eval' 'self' *.homematic.com;style-src 'unsafe-inline' 'self';img-src 'self' data:",
-  "X-Content-Security-Policy" => "default-src 'self';frame-ancestors 'self';script-src 'unsafe-inline' 'unsafe-eval' 'self' *.homematic.com;style-src 'unsafe-inline' 'self';img-src 'self' data:",
+  "Content-Security-Policy" => "default-src 'self';frame-ancestors 'self';script-src 'unsafe-inline' 'unsafe-eval' 'self' *.homematic.com https://gitcdn.xyz ;style-src 'unsafe-inline' 'self';img-src 'self' data: ;connect-src 'self' http://*:8088",
+  "X-Content-Security-Policy" => "default-src 'self';frame-ancestors 'self';script-src 'unsafe-inline' 'unsafe-eval' 'self' *.homematic.com https://gitcdn.xyz ;style-src 'unsafe-inline' 'self';img-src 'self' data: ;connect-src 'self' http://*:8088",
+  "X-WebKit-CSP" => "default-src 'self';frame-ancestors 'self';script-src 'unsafe-inline' 'unsafe-eval' 'self' *.homematic.com https://gitcdn.xyz ;style-src 'unsafe-inline' 'self';img-src 'self' data: ;connect-src 'self' http://*:8088",
   "X-Frame-Options" => "SAMEORIGIN",
   "X-Content-Type-Options" => "nosniff",
   "X-XSS-Protection" => "1; mode=block",

diff --git a/buildroot-external/overlay/base/etc/lighttpd/lighttpd.conf b/buildroot-external/overlay/base/etc/lighttpd/lighttpd.conf
@@ -119,7 +119,7 @@ server.document-root = server_root
 ##
 ## It would be nice to keep it at "lighttpd".
 ##
-#server.tag = "lighttpd"
+server.tag = ""
 
 ##
 ## store a pid file

diff --git a/buildroot-external/package/recovery-system/external/overlay/base/etc/lighttpd/lighttpd.conf b/buildroot-external/package/recovery-system/external/overlay/base/etc/lighttpd/lighttpd.conf
@@ -141,7 +141,7 @@ server.document-root = server_root
 ##
 ## It would be nice to keep it at "lighttpd".
 ##
-#server.tag = "lighttpd"
+server.tag = ""
 
 ##
 ## store a pid file